[Opendnssec-user] Empty zonelists not permitted?
Sion Lloyd
sion at nominet.org.uk
Tue Jul 6 09:30:39 UTC 2010
> We are scripting a push-button DNSSEC service around OpenDNSSEC, as
> foreseen in the project (and its logo). As part of that, we generate
> kasp.xml and zonelist.xml from scripts. OpenDNSSEC appears to be quite
> suitable for this!
>
> We found that empty lists of zones are not welcomed by OpenDNSSEC. Is
> there a specific reason for this? We'd prefer if our system wouldn't get
> disrupted in this possible (intermediate) state.
>
> The same applies to policies -- we generate policies because we group zones
> that need to share a key set in the HSM. We assign a key set to each
> independent customer of SURFnet. But if there are no zones, there are no
> groups, and no policies either. Are we crazy for trying to create an
> empty list of policies in case the list of zones is empty, or are we
> merely exploring new areas?
I had certainly never thought about starting a system with a "blank slate"
like this; so I am not surprised that it doesn't work.
Without a command to add new policies you presumably have to edit the xml and
then run "ods-ksmutil update kasp"?
Sion
More information about the Opendnssec-user
mailing list